Did Someone Just Share a Random Google Doc With You?

Journalists in newsrooms across the United States are swapping warnings about what appears to be a widespread phishing attack, sent via a particularly sneaky invitation to a fake Google Doc.

The scope of the attack is not limited to news organizations, but appears to be spreading on a massive scale through people’s contacts. If you’re concerned your account has been compromised, you can go to Google’s security page to adjust permissions. (Look for “manage apps,” and revoke access to untrusted apps.)

Several IT experts are describing the attack as huge, startlingly fast-moving, and perplexing. Just in the course of writing this short post, I received two separate emails that appear to be part of the attack. In one Reddit thread, where people are trading information about the attack, someone describes the scam as “almost undetectable.” But there are clues to look out for—both of the suspicious emails I received were sent to an odd email address, hhhhhhhhhhhhhhhh@mailinator.com, with me blind-copied.

There are two big reasons why this thing is so tricky. For one, it looks legit: An invitation to view a Google Document appears to come from an existing contact. But when a person clicks on the link, the attack immediately replicates itself—meaning, it has the potential to spam all of that person’s contacts with the same message. The second reason it’s so tricky is that it’s unclear what the attack is attempting to do. Phishing is often a way for bad actors to gain unauthorized access to a person’s email or other private accounts, but it’s not yet clear what’s motivating this attack.

ALERT: Widespread phishing email at BC appears to link to shared Google doc. Do NOT click on these links. BC IT working to block the msgs.

As in most cases of widespread cyberattack, vulnerabilities are found, exploited, then eventually patched—before hackers figure out the next way to game the system and the cycle repeats itself. A spokesperson for Google told me she would look into what’s happening, but didn’t immediately have any information to share.

Later, Google tweeted that it had “removed the fake pages” and is working to “prevent this kind of spoofing from happening again.”Google encouraged people to report any potential phishing attempts within Gmail.

We want to hear what you think about this article. Submit a letter to the editor or write to letters@theatlantic.com.

Adrienne LaFrance is the editor of TheAtlantic.com. She was previously a senior editor and staff writer at The Atlantic.